Gathr-150 caccl express session memory store leak

harvard-edtech / caccl

The Canvas App Complete Connection Library (CACCL) is an all-in-one library for building Canvas-integrated apps. By handling LTI, authorization, and api for you, CACCL makes building Canvas-integrated tools quick and easy. Keywords: Canvas LMS Instructure API LTI Authorization EdTech Education

MIT License

33 stars 4 forks source link

Gathr-150 caccl express session memory store leak #18

Closed karendolan closed 3 years ago

karendolan commented 3 years ago

I don't know the dev strategy on this repo, so I pointed the pull to master and updated patch version. Please feel free to correct me!

This pull is to update express-session with a non-leaky memory store, as recommended. here https://github.com/expressjs/session/blob/master/

The https://www.npmjs.com/package/memorystore is a lightweight in-memory MemoryStore using lru-cache strategy.

It also updates some caccl lib patch versions that were showing vulnerable.

karendolan commented 3 years ago

How have you tested this so far? I just want to make sure this is used very carefully.

I tested with a 60sec timeout and it worked as expected from local Gather. The repo appears to be popular, and currently updated https://github.com/roccomuso/memorystore. There are 55k npm downloads/week

gabeabrams commented 3 years ago

Brilliant!